Using the DirectControl Kerberos Utilities
Easily integrate Kerberos utilities with Active Directory using the Centrify-enabled version of Kerberos utilities
Centrify DirectControl uses Kerberos technology to authenticate UNIX sessions with Active Directory credentials. One of the advantages of using Kerberos is that it enables applications and many common network utilities to be used without having to re-enter user and password information. Since Kerberos is built into DirectControl, it is possible to use standard Kerberos utilities to leverage secure, authenticated, ticket-based single sign-on sessions.
Centrify has compiled an optional package that includes Kerberized utilities and services. These are based on the latest Kerberos distribution from MIT, and the utilities can be used with the standard DirectControl product. The Application Note describes how to install, configure and use the components included with the Centrify DirectControl Kerberos Utilities package.
Get the Kerberos Utilities with Free
Active Directory Authentication
You can download the Centrify-enabled Kerberos Utilities along with Centrify Express, our free Active Directory-based solution for authentication and single sign-on to cross-platform systems.
Learn More about Centrify-Enabled
Kerberos Utilities
About the Centrify-Enabled Kerberos Utilities
Centrify has made a number of enhancements to the Kerberos environment that make deployment of Kerberos applications simpler. Some of these enhancements include:
- Automated setup of Kerberos. When you join a UNIX, Linux or Mac computer to an Active Directory domain using DirectControl, the setup of all Kerberos-related system configuration files is automatically done for you. For example, the file /etc/krb5.conf is configured correctly to use the Active Directory domain controller as the Kerberos key distribution center. Having these configuration files automatically set up for you means that Kerberized UNIX applications will "just work" using Active Directory as the Kerberos authority.
- Removing the need for .k5login. Normally a Kerberized login-type application such as ssh, telnet or rsh requires a .k5login file on the target system. The creation of these files can become a significant administrative burden. Centrify removes the need for this file in almost all cases. See the Application Note for a detailed explanation of when a .k5login file is needed.
- Remove the need for host-to-realm mapping. If you have disjoint DNS and Active Directory domain names, then you normally need host-to-realm name mappings in the Kerberos configuration file. The maintenance of these entries can be a significant administrative overhead. Centrify's Kerberos implementation removes the need for these entries.
- Secure canonicalization. In many cases Kerberos needs to convert a partial host name to a fully qualified name that includes its realm name. This process is called canonicalization. For example, the host name in the command:
telnet -a system1
will actually be interpreted as system1.centrify.com@CENTRIFY.COM if the system is part of the CENTRIFY.COM realm. MIT's Kerberos distribution uses a combination of DNS and host-to-realm mappings to achieve this translation. The use of DNS is inherently insecure, and RFC 1510 (the main Kerberos standard) specifically recommends against using it but does not offer an alternative. DirectControl implements a more secure mechanism that uses Active Directory's knowledge of the domain and does not rely on DNS.
Supported Platforms
= Available through our Early Access program. Ask your Centrify support or sales representative for access.
| Systems A-Z | 32-bit | 64-bit | |
| Click Show Details for a list of every platform, including notifications of upcoming or recently added versions. | |||
 CentOS Linux |
2, 3, 4, 5 x86 |  |
|
| 3, 4, 5 x86_64 | |
||
| Citrix XenServer |
4, 5 | |
|
| Debian Linux |
3.0, 3.1, 4.0, 5.0, 6.0 x86 | |
|
| 3.1, 4.0, 5.0, 6.0 x86_64 | |
||
| Hewlett Packard HP-UX |
11.00, 11.11, 11.23, 11.31 PA-RISC | |
|
| 11.22, 11.23, 11.31 Itanium | |
||
| IBM AIX |
4.3.3, 5.1, 5.2, 5.3, 6.1, 7.1 | |
|
| Mandriva Linux |
One 2008, 2009, 2010, 2011 x86 | |
|
| Ent. Server 5, 5.2 x86 | |
||
| Ent. Server 5, 5.2 x86_64 | |
||
| Novell SUSE Linux |
Ent. Desktop 9.0, 9.x, 10, 11 x86 | |
|
| Ent. Desktop 11 x86_64 | |
||
| Ent. Server 8, 9, 10, 11 x86 | |
||
| Ent. Server 9, 10, 11 x86_64 | |
||
| Ent. Server 9, 10, 11 PPC | |
|
|
| OpenSolaris |
06/2009 SPARC | |
|
| 11/2008, 06/2009 x86 | |
||
| 11/2008, 06/2009 x86_64 | |
||
| OpenSUSE Linux |
10.x, 11.x x86 | |
|
| 10.x, 11.x x86_64 | |
||
| Oracle Enterprise Linux |
4, 5, 6 x86 | |
|
| 4, 5, 6 x86_64 | |
||
| Oracle Solaris |
2.6, 2.7 (7), 8, 9, 10 SPARC | |
|
| 9, 10 x86 | |
||
| 10 x86_64 | |
||
| Red Hat Enterprise Linux |
Desktop 5, 6 x86 | |
|
| Desktop 5, 6 x86_64 | |
||
| AS/ES/WS 2.1, 3, 4, 5, 6 x86 | |
||
| AS/ES/WS 3, 4, 5, 6 x86_64 | |
||
| AS/ES/WS 3, 4, 5, 6 PPC | |
|
|
| AS/ES/WS 4, 5, 6 Itanium | |
||
| Red Hat Fedora |
3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 x86 | |
|
| 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 x86_64 | |
||
| Red Hat Linux |
7.2, 7.3, 8, 9 x86 | |
|
| Scientific Linux |
3, 4, 5, 6 x86 | |
|
| 3, 4, 5, 6 x86_64 | |
||
| Ubuntu Linux |
6.x, 7.x, 8.x, 9.x, 10.x, 11.04, 11.10 x86 | |
|
| 6.x, 7.x, 8.x, 9.x, 10.x, 11.04, 11.10 x86_64 | |
||
| VMware ESX Server |
2.1, 2.5.0, 2.5.1, 2.5.x, 3.0.x, 3.5 x86 | |
|
| 4.0, 4.1 x86_64 | |
||
